InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ initiates SCRA action over auto auctions and dispositions
On March 3, the DOJ filed a complaint in the U.S. District Court for the Eastern District of North Carolina against a North Carolina-based towing company for allegedly auctioning off, selling, or disposing of vehicles owned by servicemembers through the use of court judgments obtained without filing proper military affidavits. Under the Servicemembers Civil Relief Act (SCRA), plaintiffs seeking a default judgment must “file an accurate military affidavit stating whether or not the defendant is in military service, or that the plaintiff is unable to determine the defendant’s military service status.” Towing companies are also required by the statute to make a good faith effort to determine if a defendant is in military service. A court may not enter a default judgment in favor of a plaintiff until after a servicemember has been appointed an attorney.
According to the complaint, the towing company disposed of servicemembers’ vehicles without complying with these requirements from at least 2017. The DOJ further claims that several factors should have alerted the towing company to the fact that the vehicles belonged to a servicemember, including that many of the vehicles were originally towed from locations on or near a military installation and many of the vehicles “had military decals, patches, and decorations, were financed through lenders geared towards members of the military, and contained military uniforms and paperwork, including orders.” The DOJ seeks damages for the affected servicemembers and civil penalties, as well as a court order enjoining the towing company from engaging in the illegal conduct.
OFAC sanctions Russian human rights abusers
On March 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13818, against three individuals involved in serious human rights abuses against a prominent Russian human rights defender. The designations are complemented by visa restrictions imposed by the Department of State against two of the individuals and their families. The Department of State also concurrently designated three other individuals pursuant to E.O. 14024 “for being or having been leaders, officials, senior executive officers, or members of the board of directors of the Government of the Russian Federation.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by a general or specific license issued by OFAC, or exempt.
Agencies flag intermediaries in evading Russia-related sanctions
On March 2, the DOJ, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), and the Department of Commerce’s Bureau of Industry and Security (BIS) issued a joint compliance note on the use of third-party intermediaries or transshipment points to evade Russian- and Belarussian-related sanctions and export controls. This is the first collective effort taken by the three agencies to inform the international community, the private sector, and the public about efforts taken by malign actors to evade sanctions and export controls in order to provide support for Russia’s war against Ukraine. The compliance note outlines enforcement trends and details attempts made by Russia “to circumvent restrictions, disguise the involvement of Specially Designated Nationals and Blocked Persons [] or parties on the Entity List in transactions, and obscure the true identities of Russian end users.” The compliance note also provides common red flags indicating whether a third-party intermediary may be engaged in efforts to evade sanctions or export controls, and outlines guidance for companies on maintaining effective, risk-based sanctions and export compliance programs. The agencies highlight other measures taken to constrain Russia, including stringent export controls imposed by BIS to restrict Russia’s access to technologies and other items, sanctions and civil money penalties issued against U.S. persons who violate OFAC sanctions and non-U.S. persons who cause U.S. persons to violate Russian sanctions programs, and the DOJ’s interagency law enforcement task force, Task Force KleptoCapture, which enforces sanctions, export controls, and economic countermeasures imposed by the U.S. and foreign allies and partners.
House committees move forward on data privacy
On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for comprehensive federal privacy legislation. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, commenting that discussions during the hearing will build upon the bipartisan American Data Privacy and Protection Act (ADPPA), which advanced through the committee last July by a vote of 53-2. As previously covered by InfoBytes, the ADPPA (see H.R. 8152) was sent to the House floor during the last Congressional session, but never came up for a full chamber vote. The bill has not been reintroduced yet.
A subcommittee memo highlighted that absent a comprehensive federal standard, “there are insufficient limits to what types of data companies may collect, process, and transfer.” The subcommittee flagged the data broker industry as an example of where there are limited restrictions or oversight to prevent the creation of consumer profiles that link sensitive data to individuals. Other areas of importance noted by the subcommittee relate to data security protections, data minimization requirements, digital advertising, and privacy enhancing technologies. The subcommittee heard from witnesses who agreed that a comprehensive privacy framework would benefit consumers.
One of the witnesses commented in prepared remarks that preemption is key, calling the current patchwork of state laws confusing and costly to businesses and consumers. “Consumers need a strong and consistent law to protect them across jurisdictions and market sectors, and to clarify what privacy rights they should expect and demand as they navigate the marketplace,” the witness said. The witness also stated that the FTC is currently relying on outdated law, noting that while Section 5 of the FTC Act is frequently used, “virtually all of the FTC’s privacy and data security cases are settlements. That means that many of the legal theories advanced, as well as the remedies obtained, have never been tested in court.”
In advance of the hearing, the California governor, the California attorney general, and the California Privacy Protection Agency sent a joint letter opposing preemption language contained in H.R. 8152. “[B]y prohibiting states from adopting, maintaining, enforcing, or continuing in effect any law covered by the legislation, [the ADPPA] would eliminate existing protections for residents in California and sister states,” the letter warned. The letter asked Congress “to set the floor and not the ceiling in any federal privacy law” and “allow states to provide additional protections in response to changing technology and data privacy protection practices.”
Separately, at the end of February, Chairman of the House Financial Services Committee, Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165). The bill moved out of committee by a 26-21 vote, and now goes to the full House for consideration. Among other things, the bill would modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape. The bill would also ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time. Additional provisions are intended to protect against the misuse or overuse of consumers’ personal data and impose disclosure requirements relating to data collection methods, how data is used and who it is shared with, data retention policies, and informed choice. The bill is designed to provide consistency across the country to reduce compliance burdens, McHenry said.
4th Circuit remands privacy suit to state court
On February 21, the U.S. Court of Appeals for the Fourth Circuit held that a proposed class action over website login procedures belongs in state court. Plaintiff alleged that after a nonparty credit reporting agency experienced a data breach, it used the defendant subsidiary’s website to inform customers whether their personal data had been compromised. Because the defendant’s website required the plaintiff to enter six digits of his Social Security number to access the information, the plaintiff alleged violations of South Carolina’s Financial Identity Fraud and Identity Theft Protection Act and the state’s common-law right to privacy. Under the state statute, companies are prohibited from requiring consumers to use six digits or more of their Social Security number to access a website unless a password, a unique personal identification number, or another form of authentication is also required. According to the plaintiff, the defendant’s website did not include this requirement.
The defendant moved the case to federal court under the Class Action Fairness Act and requested that the case be dismissed. Plaintiff filed an amended complaint in federal court, as well as a motion asking the district court to first determine whether it had subject matter jurisdiction, given the U.S. Supreme Court’s ruling in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here). Although the district court held that the plaintiff had alleged “an intangible concrete harm in the manner of an invasion of privacy,” which it said was enough to give it subject-matter jurisdiction “at this early stage of the case,” it dismissed the case after determining the plaintiff had not plausibly stated a claim.
In reversing and remanding the action, the 4th Circuit found that the plaintiff alleged only a bare statutory violation and had not pled a concrete injury sufficient to confer Article III standing in federal court. The appellate court vacated the district court’s decision to dismiss the case and ordered the district court to remand the case to state court. The 4th Circuit took the position that an intangible harm, such as a plaintiff “enduring a statutory violation” is insufficient to confer standing unless there is a separate harm “or a materially increased risk of another harm” associated with the violation. “[Plaintiff] hasn’t alleged—even in a speculative or conclusory fashion—that entering six digits of his SSN on [defendant’s] website has somehow raised his risk of identity theft,” the 4th Circuit said. In conclusion, the 4th Circuit wrote: “We offer no opinion about whether the alleged facts state a claim under the Act. Absent Article III jurisdiction, that’s a question for [plaintiff] to take up in state court.”
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
OFAC settles with Indian tobacco company on North Korean transactions
On March 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $332,500 settlement with an India-registered tobacco company to resolve allegations that it “requested payment in U.S. dollars for its indirect exportation of tobacco to the Democratic People’s Republic of Korea [(DPRK)].” According to OFAC’s web notice, in late 2016, an assistant manager at the company and a representative from a Thai intermediary began communicating about a prospective order of tobacco from a DPRK customer. A decision was eventually made not to include the DPRK customer or to list the DPRK in trade documents for the order. Rather, the order listed the Thai intermediary as the customer and China as the destination. OFAC maintained that the company issued three invoices to the Thai intermediary for its tobacco orders, and asked that payments be sent in USD to either the company’s bank account at a non-U.S. bank in India or to the India-branch of a U.S. bank. Between July and August 2017, four Hong Kong-organized intermediaries remitted funds to the company for these shipments and made five payments totaling approximately $369,228. Four of the five USD payments were sent to the non-U.S. bank, causing three U.S. financial institutions to clear the payments. The fifth payment was sent to the India-branch of a U.S. bank. By directing the Hong Kong intermediaries to remit payments in USD, OFAC claimed the company “caused U.S. correspondent banks that processed the payments, as well as the foreign branch of a U.S. bank, to export financial services to or otherwise facilitate the exportation of tobacco to the DPRK” in violation of the North Korea Sanctions Regulations.
In arriving at the settlement amount, OFAC determined, among other things, that several managers had actual knowledge of the alleged conduct at issue, and that the company “acted recklessly” by “fail[ing] to exercise a minimal degree of caution or care for U.S. sanctions laws and regulations and caus[ing] U.S. financial institutions to export financial services or otherwise facilitate the exportation of tobacco to the DPRK.”
OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.
Providing context for the settlement, OFAC said that this action “highlights the deceptive practices DPRK entities use to evade U.S. and international sanctions and acquire revenue-generating goods, such as by employing intermediaries in various countries to coordinate shipping and make payments.”
OFAC sanctions timeshare fraud network
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against eight Mexican companies connected to timeshare fraud on behalf of the Cartel de Jalisco Nueva Generacion (CJNG). The CJNG is also designated under E.O. 14059. OFAC described timeshare fraud typology, explaining that schemes often involve third-party scammers who claim to have ready buyers and make unsolicited purchase offers to timeshare owners. If these offers are accepted, the scammers ask timeshare owners to pay advance fees and taxes to “facilitate or expedite the sale with assurances of reimbursement upon closing.” However, timeshare owners, after making multiple payments, eventually realize that the offers do not exist and lose their money, OFAC said. In conjunction with the sanctions, OFAC issued an alert warning that perpetrators of timeshare fraud may falsely claim to represent OFAC to appear legitimate and further their fraud.
As a result of the sanctions, all property and interests in property of the designated persons located in the U.S. or held by U.S. persons is blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by an OFAC-issued general or specific license, or exempt. OFAC further warned that “U.S. persons may face civil or criminal penalties for violations of E.O. 14059 and the Kingpin Act.”
Fannie says appraisals are no longer required to establish market value
On March 1, Fannie Mae issued a Selling Guide announcement to introduce a range of options for establishing a property’s market value, noting that it is “moving away from implying that an appraisal is a default requirement.” As part of Fannie’s efforts to improve the efficiency and accuracy of the home valuation process, it is rolling out choices that balance “traditional appraisals with appraisal alternatives.” Options introduce the term “value acceptance,” which will be “used in conjunction with the term ‘appraisal waiver’ to better reflect the actual process of using data and technology to accept the lender-provided value.” A new option, “value acceptance + property data” will use property data collected by vetted third parties that conduct interior and exterior data collection on a property. This data will be used by the lender to confirm property eligibility (an appraisal will not be required). “Hybrid appraisals” will be “based on interior and exterior property data collection by a vetted and trained third-party that is provided to an appraiser to inform the appraisal.” Fannie explained that hybrid appraisals will be “permitted for certain one-unit transactions where value acceptance + property data was initially started, but changes in loan characteristics results in the transaction not being eligible for that option.”
The updates also allow for alternative methods to the Appraisal Update and/or Completion Report, including a borrower/builder attestation letter verifying completion of construction, and a borrower attestation letter confirming completion of repairs for existing construction. The updates also provide additional guidance on the use of sweat equity and revise timelines and expectations for lenders’ prefunding and post-closing quality control reviews, among other things.
FHA proposes to ease branch office registration
On March 1, FHA published FHA INFO 2023-14 announcing a proposed rule to eliminate a requirement that mortgagees and lenders register all branch offices conducting FHA business with HUD. Currently, all FHA-approved mortgagees and lenders are required to register any branch office where they originate Title I or II loans or submit applications for mortgage insurance. Due to technological advances and remote service delivery, this requirement is inconsistent with current industry practices, FHA said, explaining that the proposed rule will grant mortgagees and lenders the choice as to whether to register and maintain branch offices with HUD. The proposed rule also will make branch registration fees applicable only to those branch offices registered with HUD. Unregistered branch offices will not be subject to unnecessary registration fees and will not be placed on the HUD Lender List Search page. Comments on the proposed rule are due May 1.